Which is the difference between exclusions to SSL/TLS inspection rules under rules and policies and under Web Menu?

Question

Exclusions to SSL/TLS inspection rules 
 XG Firewall provides default exclusion rules for websites and applications. These rules are positioned at the top of the SSL/TLS inspection rule table and are evaluated first. You can&rsquo;t change their sequence in the rule table. 
 To the default exclusion rules, add only applications and websites that you don&rsquo;t want to decrypt in any SSL/TLS inspection rule. 
 To exclude traffic from decryption using other criteria, you can create additional rules with action set to Do not decrypt and place them immediately below the default rules. 
 Exclusions by website or category : Contains the following exclusion lists:
 
 Local TLS exclusion list: The list is empty by default. You can&rsquo;t delete it from the exclusion rule. You can add domains to this list based on troubleshooting outcomes. Websites excluded through the control center or the log viewer are also added to this list. To edit this list, go to Web > URL groups . 
 Managed TLS exclusion list: Contains domains known to be incompatible with SSL/TLS inspection and is updated through firmware updates. You can, however, remove the list from the exclusion rule.

Exclusions by application : The list is empty by default. To add to the list, select the exclusion rule and add the Synchronized Security applications . Applications excluded through the control center are also added to the list. 
 
 Please document the differences between this new tab/option from exceptions available in Web > exceptions. Which one takes precedence? 
 Thanks

RichBaldry · Accepted Answer

To answer the question from Dom Nik : 
 The DPI Engine can handle both encrypted and unencrypted HTTP traffic. 
 If you apply a web policy to a firewall rule, or enable "Scan traffic for malware and content", the DPI Engine will do all the scanning and policy enforcement for all ports. 
 If you also enable "Use the web proxy to transparently scan...", the proxy will take over the scanning and policy enforcement from the DPI Engine for ports 80 & 443 but the DPI Engine will continue to scan and enforce on other ports. 
 If you enable "Decrypt HTTPS traffic scanned by the web proxy" then any HTTPS traffic being handled by the proxy will be decrypted.

When Web Policy is not "None" and/or Scan traffic for malware is enabled 
 "Decrypt HTTPS traffic..." ENABLED 
 "Decrypt HTTPS traffic..." DISABLED

"Use the web proxy..." ENABLED 
 
 80 & 443: handled by proxy 
 Other ports: handled by DPI Engine

80 & 443: handled by proxy, and HTTPS is decrypted by proxy 
 Other ports: decrypted by DPI engine based on SSL/TLS rules

"Use the web proxy..." DISABLED 
 All ports: handled by DPI Engine 
 All ports: decrypted by DPI engine based on SSL/TLS rules

When Web Policy is "None" and Scan traffic for malware is disabled 
 "Decrypt HTTPS traffic..." ENABLED 
 "Decrypt HTTPS traffic..." DISABLED

"Use the web proxy..." ENABLED 
 No web policy or malware scanning is done. Traffic on all ports may still be decrypted by the DPI Engine according to SSL/TLS rules.

"Use the web proxy..." DISABLED

When I say 'all ports' here, I obviously mean 'all ports matched by the firewall rule'. 
 HTTPS exclusions: 
 Web Exceptions with 'Exclude HTTPS decryption': apply to both DPI Engine decryption and Proxy decryption. This was done to ease migration for customers switching from v17.5 and earlier who may already have had HTTPS exclusions set up in Web exceptions. 
 Exclusions on the SSL/TLS rules page are part of the SSL/TLS rule set and only apply to DPI Engine decryption. 
 When you exclude a web site/domain from the Control Center or from the Log Viewer, it is added to the 'Local TLS Exclusion list' URL Group, which is included in the default 'Exclusions by Website' rule (#1) to exclude traffic by website. 
 When you exclude a Sync Security App from the Control Center or Log Viewer, it is added directly to the default 'Exclusions by application' rule (#2) 
 To answer 's original question: Precedence is not really relevant when considering Web Exceptions vs TLS/SSL rules because if a site is excluded by either one or the other, it will not be decrypted by the DPI Engine. But if it helps, you could think of Web Exceptions being the first thing considered, and if there is a match, then no decryption or other TLS/SSL conditions will be applied.

Michael Dunn · Answer

The wording of some of this will change in a later EAP.

PMStuart · Answer

Here is my very simple setup. 2 Global Exclusion rules, 2 Do Not Decrypt rules for devices that cant import the appliance cert, and 2 decryption rules for everything else. 
 My Firewall does not have any web proxy selected, but I am scanning for Malware in the web streams.

PMStuart · Answer

As LuCar Toni said the documentation is not fully complete yet. In addition we will shortly release some videos on how to configure both the new DPI functionality and also NAT.

LuCar Toni · Answer

The Firewall Part of SSLx / web Proxy is not final yet. 
 RichBaldry can maybe show some more inputs here.